Sleuths Trace New Zero-Day Attacks to Hackers Who Hit Google

Graphic showing how the Elderwood gang conducts its attacks. Image: Courtesy of Symantec

Itâ€™s been more than two years since Google broke corporate protocol by revealing that it had been the victim of a persistent and sophisticated hack, traced to intruders in China that the company all but said were working for the government.

And it turns out the hacker gang that hit the search giant hasnâ€™t been resting on its reputation; itâ€™s been busy targeting other companies and organizations, using some of the same methods of attack, as well as a remarkable menu of valuable zero-day vulnerabilities. The attackers used at least eight zero-days in the last three years, including ones that targeted the ubiquitous software plugin Flash and Microsoftâ€™s popular IE browser.

Researchers at Symantec traced the groupâ€™s work after finding a number of similarities between the Google attack code and methods and those used against other companies and organizations over the last few years.

The researchers, who describe their findings in a report published Friday, say the gang â€” which they have dubbed the â€œElderwood gangâ€ based on the name of a parameter used in the attack codes â€” appears to have breached more than 1,000 computers in companies spread throughout several sectors â€“ including defense, shipping, oil and gas, financial, technology and ISPs. The group has also targeted non-governmental organizations, particularly ones connected to human rights activities related to Tibet and China.

The majority of the victims have been in the U.S., with the attacks focused on gathering intelligence and stealing intellectual property â€“ such as product design documents and trade secrets, infrastructure details and information about contacts. Many of the attacks have involved supply-chain companies that provide services or electronic and mechanical parts to targeted industries. Symantec says it appears the attackers have used victims in the supply-chain as stepping-stones to breach companies theyâ€™re really targeting.

In some cases the gang used spear-phishing attacks to infect their targets through an exploit embedded in an a-mail attachment or through a link to a malicious web site; but they have increasingly used another technique that involves breaching web sites that cater to a particular audience that they want to target â€” such as an aeronautical web site catering to workers in the defense industry â€” and injecting an exploit into web pages, waiting for victims to visit the pages and be infected.

In these so-called â€œwatering holeâ€ attacks â€“ named for their similarity to a lion waiting for unsuspecting prey to arrive at a watering hole â€“ an invisible iframe on the web site causes victim computers to contact a server and silently download a backdoor Trojan that gives the attackers control over the victimâ€™s machine.

Symantec believes the gang involves several teams of varying skills and duties. One team of highly skilled programmers is likely tasked with finding zero-day vulnerabilities, writing exploits, crafting re-usable platform tools, and infecting web sites; while a less skilled team is involved with identifying targets based on various goals â€” stealing design documents for a military product or tracking the activities of human rights activists â€” and sending out the spear-phishing attacks. A third team is likely tasked with reviewing and analyzing the intelligence and intellectual property stolen from victims.

Graphic showing how so-called â€œwatering holeâ€ attacks work. Courtesy of Symantec
Eric Chien, senior technical director for Symantec Security Response, says the attackers appeared to operate in waves â€“ going after groups of targets aggressively for three months at a time or so, then going quiet for a while before the next wave of attacks. He speculates that they may be spending the quiet time sifting through and analyzing documents and data theyâ€™ve stolen before collecting more from new targets.

The most remarkable thing about the attackers, however, is the number of zero-day vulnerabilities they have burned through in the last three years, which, Symantec says, suggests that they may have access to source code for the popular applications theyâ€™re exploiting or may have so thoroughly reverse-engineered the applications that they have a ready supply of valuable vulnerabilities waiting to be exploited, as needed.

â€œIt takes a huge number of people a lot of time to thoroughly reverse-engineer those applications,â€ Chien says, â€œor, they potentially have a jumpstart if they have source code.â€

"It often will shift to using a new vulnerability shortly before one of its current favorites is exposed, suggesting the crew watches the developments in the underground and legitimate security communities closely."

# EDB Note - Live POC originally found at http://qoop.org/security/poc/cve-2010-1297/# File is malicious! Taken from the wild! Beware!
# To decrypt the file:
# openssl aes-256-cbc -d -a -in adobe-0day-2010-1297.tar.enc -out adobe-0day-2010-1297.tar
# Password is "edb" without the quotes.

NOTE: This was taken out of live malware and was not modified. BEWARE.

By visiting the following link, you agree that you are responsible for any damages that occur.